cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

817
Views
5
Helpful
4
Replies
j.england
Beginner

CSM error when adding new subnet to group

Good morning,

I am attempting to add a new subnet to an existing group in CSM Enterprise v4.0.1 b7823.  When adding a new subnet to the group (the other contents of the group is another subnet), CSM issues several errors for each affected ASA:

Description:

Network BB(GROUPNAME,) referenced by the 'Http Network' on device(DEVICENAME) maps to more than one IP Addresses!

Cause:

Http is referring to a network object that maps  to more than one IpAddress on the device

Action:

Please config the policy with network object that resolve to only one IpAddress.

There is an error for ICMP as well.  Since the contents of the group is already a /24subnet, I don't imagine it's a very accurate error.  Has anyone come up against this?

Thanks very much.

Justin

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Justin,

what you are observing is normal given the way we implemented the devices access policy. As you probably know, in cli you can specify only one access-rule per line for ssh, http telnet etc..

For example if you want to allow ssh access to the ASA from host 1.1.1.1 and 2.2.2.2 you will have to put two lines

ssh 2.2.2.2 255.255.255.255 outside

ssh 1.1.1.1 255.255.255.255 outside

In CSM we model this two lines as two different object, so the building block object of type network that refers to the object of type ssh access can ONLY have one entry. This behavior is the same for ICMP as well.

Access-list is different because we model in CSM in a different way + you can use object-group to put together different networks. This is not possible for device access.

I hope gave you a bit more insight on the reason

Also it would be great to mark this as answer if that is the case


Stefano

View solution in original post

4 REPLIES 4
Stefano De Crescenzo
Cisco Employee

Hi Justin,

I do not recall to have hit this situation, however I would suggest we investigate a bit more.

First thing, if you can, I would need to know the exact steps you followed to end up in this situation so I can try to reproduce :). Also it would be great if you can send a screenshot of the error.

Thanks

Stefano

Hi Stefano,

Really appreciate your response.  I actually just had the time to sit down and investigate a bit more yesterday.  This error was referring to the Device Access Platform Policies governing access to the firewalls via HTTP, ICMP, SSH, etc.  The object causing the isses contained one subnet.  When I attempted to add another subnet, these access policies rejected it because they allow only one entry int the contents of the objects being allowed.  I simply had to create a new entry for each protocol access for each firewall.

Thanks for following up though!

Hi Justin,

what you are observing is normal given the way we implemented the devices access policy. As you probably know, in cli you can specify only one access-rule per line for ssh, http telnet etc..

For example if you want to allow ssh access to the ASA from host 1.1.1.1 and 2.2.2.2 you will have to put two lines

ssh 2.2.2.2 255.255.255.255 outside

ssh 1.1.1.1 255.255.255.255 outside

In CSM we model this two lines as two different object, so the building block object of type network that refers to the object of type ssh access can ONLY have one entry. This behavior is the same for ICMP as well.

Access-list is different because we model in CSM in a different way + you can use object-group to put together different networks. This is not possible for device access.

I hope gave you a bit more insight on the reason

Also it would be great to mark this as answer if that is the case


Stefano

View solution in original post

Thanks for the rundown, that does clarify things quite a bit.  I am definitely more enlightened, and I appreciate the response!

Content for Community-Ad